Disable external access? (NEED HELP ASAP)

Hey Everybody, I have a security concern and I need help ASAP. I believe that since I posted my public IP on these forums I have had people trying to gain access to my router. Can you please tell me how to disable external access so people cannot keep trying to break my passwords? I am running a 450G with 4.11 OS, thanks.

Here is what my logs are telling me:

(273 messages not shown)
oct/10/2010 20:18:07 system,error,critical login failure for user test from 21
2.66.5.115 via ssh
oct/10/2010 20:18:09 system,error,critical login failure for user admin from 2
12.66.5.115 via ssh
oct/10/2010 20:18:10 system,error,critical login failure for user user from 21
2.66.5.115 via ssh
oct/10/2010 20:18:12 system,error,critical login failure for user guest from 2
12.66.5.115 via ssh
oct/10/2010 20:18:13 system,error,critical login failure for user tom from 212
.66.5.115 via ssh
oct/10/2010 20:18:15 system,error,critical login failure for user bill from 21
2.66.5.115 via ssh
oct/10/2010 20:18:16 system,error,critical login failure for user gary from 21
2.66.5.115 via ssh
oct/11/2010 05:59:33 system,error,critical login failure for user root from 11
4.255.100.163 via ssh
[admin@MikroTik] >

Simplest approach, that will need tweaking but do for now:

1. create address lists for administrative access to the router
2. allow access from that address list
3. drop everything else going to the ports for ftp, web, telnet, ssh and winbox
   In the below you obviously have to edit the entries in the address list to reflect the networks you would be accessing the router from. If you mess that up you will lock yourself out.

/ip firewall address
add list=admin-access address=192.168.0.0/24
add list=admin-access address=10.0.0.0/16
/ip firewall filter
add chain=input src-address-list=admin-access action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

The wiki has lots of user contributed, extensive articles on how to protect your router. They go into far more detail and protect more than just the above.

Lastly, just because you posted your IP here doesn’t mean that led to the login attempts. There are millions of computers out on the Internet scanning every possible for well known ports, brute forcing the ones they find to allow them access.

check this one too.

http://gregsowell.com/?p=1076

Thanks Guys, the bastard hasn’t stopped all day. I just did Fewi’s approach for now.

Glad that worked, but make sure to check out the wiki and Greg’s site (which indeed is awesome) for better approaches. What I posted is quick fix in a hurry.

Also, just for informational purposes: it’s probably not ‘a bastard’ doing it, but some infected machine of a clueless user, or a compromised server. This kind of stuff is fully automated nowadays and happens literally all the time, to everyone. No one is targeting you directly - or at least it’s exceedingly unlikely that anyone is, particularly if it’s a dictionary attack trying default usernames as your logs show.